Developed with love by KnpLabs Hire us for your project!
75

NzoUrlEncryptorBundle

by NAYZO

Symfony Bundle used to Encrypt and Decrypt data and variables in the Web application

NzoUrlEncryptorBundle

Build Status
Total Downloads
Latest Stable Version

The NzoUrlEncryptorBundle is a Symfony Bundle used to Encrypt and Decrypt data and variables in the Web application or passed through the URL to provide more security to the project.
Also it prevent users from reading and modifying sensitive data sent through the URL.

This Version (^5.0) is compatible with Symfony >= 5, for Symfony 2, 3 and 4 use the composer tag: ^4.3 instead.

Features include:

  • Compatible Symfony version 5
  • Url Data & parameters Encryption
  • Url Data & parameters Decryption
  • Data Encryption & Decryption
  • Access from Twig by ease
  • Flexible configuration
  • Uses OpenSSL extension

By default, this bundle is using aes-256-ctr algorithm.

CTR mode (without any additional authentication step) is malleable, which means that it is possible to change the meaning of the ciphertext and if the plaintext is guessable then it could lead to IDOR.

Thus, this bundle should not be used to encrypt sensitive data since by default it does not prevent users from modifying encrypted ones.

Since the key is reused, if a user is able to guess the plaintext of one ciphertext he will be able to decrypt any ciphertext.

For the record, before releases v5.0.1 and v4.3.2, the key and iv where not mandatory which means that anyone could have decrypted and modified the encrypted data.

Installation

Through Composer:

Install the bundle:

$ composer require nzo/url-encryptor-bundle

Register the bundle in app/AppKernel.php (without Flex):

// app/AppKernel.php

public function registerBundles()
{
    return array(
        // ...
        new Nzo\UrlEncryptorBundle\NzoUrlEncryptorBundle(),
    );
}

Configure your application's config.yml:

Configure your secret encryption key:

# app/config/config.yml (Symfony V2 or V3)
# config/packages/nzo_url_encryptor.yaml (Symfony V4)

nzo_url_encryptor:
    secret_key: YourSecretEncryptionKey    # Required, max length of 100 characters.
    secret_iv:  YourSecretIv               # Required only if "random_pseudo_bytes" is FALSE. Max length of 100 characters.
    cipher_algorithm:                      # optional, default: 'aes-256-ctr'
    base64_encode:                         # optional, default: TRUE
    format_base64_output:                  # optional, default: TRUE, used only when 'base64_encode' is set to TRUE
    random_pseudo_bytes:                   # optional, default: FALSE (generate a random encrypted text output)

Usage

In the twig template:

Use the twig extensions filters or functions to encrypt or decrypt your data:

// Filters:

# Encryption:

    <a href="{{path('my-route', {'id': myId | urlencrypt } )}}"> My link </a>

    {{myVar | urlencrypt }}

# Decryption:

    <a href="{{path('my-route', {'id': myId | urldecrypt } )}}"> My link </a>

    {{myVar | urldecrypt }}


// Functions:

# Encryption:

    <a href="{{path('my-path-in-the-routing', {'id': nzoEncrypt('myId') } )}}"> My link </a>

    {{ nzoEncrypt(myVar) }}

# Decryption:

    <a href="{{path('my-path-in-the-routing', {'id': nzoDecrypt('myId') } )}}"> My link </a>

    {{ nzoDecrypt(myVar) }}

In the controller with annotation service:

Use the annotation service to decrypt / encrypt automatically any parameter you want, by using the ParamDecryptor / ParamEncryptor annotation service and specifying in it all the parameters to be decrypted/encrypted.

use Nzo\UrlEncryptorBundle\Annotations\ParamDecryptor;
use Nzo\UrlEncryptorBundle\Annotations\ParamEncryptor;

class MyController extends AbstractController
{
    /**
    * @ParamDecryptor(params={"id", "bar"})
    */
    public function decryptionAction($id, $bar)
    {
        // no need to use the decryption service here as the parameters are already decrypted by the annotation service.
        //...
    }

    /**
    * @ParamEncryptor(params={"id", "bar"})
    */
    public function encryptionAction($id, $bar)
    {
        // no need to use the encryption service here as the parameters are already encrypted by the annotation service.
        //...
    }
}

In the controller (With autowiring):

use Nzo\UrlEncryptorBundle\UrlEncryptor\UrlEncryptor;

class MyController extends AbstractController
{
    private $encryptor;

    public function __construct(UrlEncryptor $encryptor)
    {
        $this->encryptor = $encryptor;
    }

    public function indexAction($data) 
    {
        $encrypted = $this->encryptor->encrypt($data);

        $decrypted = $this->encryptor->decrypt($data);
    }
}    

In the controller (Without autowiring):

class MyController extends Controller
{
    public function indexAction($data) 
    {
        $encrypted = $this->get('nzo_url_encryptor')->encrypt($data);

        $decrypted = $this->get('nzo_url_encryptor')->decrypt($data);
    }
}    

License

This bundle is under the MIT license. See the complete license in the bundle:

See Resources/doc/LICENSE

The MIT License (MIT)

Copyright (c) 2014 Ala Eddine khefifi

Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
nzo_url_encryptor:
secret_key: ~ # Required
secret_iv:
cipher_algorithm: aes-128-ctr
base64_encode: true
format_base64_output: true
random_pseudo_bytes: false
  • enhance IV generation.
    By NAYZO, 13 days ago
  • add format_base64_output config options.
    By NAYZO, 14 days ago
  • typo fix
    By NAYZO, 14 days ago
  • add base64_encode and random_pseudo_bytes config options.
    By NAYZO, 14 days ago
  • update README
    By NAYZO, 2 months ago
  • update README
    By NAYZO, 2 months ago
  • [bug] fixing security issues and making the secret_key and secret_iv mandatory
    By NAYZO, 2 months ago
  • add Symfony 5 compatibility
    By NAYZO, 6 months ago
  • fix twig functions and filters deprecations
    By NAYZO, 7 months ago
  • update readme
    By NAYZO, 1 year ago
  • update readme.md
    By NAYZO, 1 year ago
  • update Readme.md
    By web-flow, 1 year ago
  • Merge pull request #35 from NAYZO/DemigodCode-deprecations42
    By web-flow, 1 year ago
  • Fix Deprecations for Symfony 4.2
    By NAYZO, 1 year ago
  • code refactoring + some fixes
    By NAYZO, 1 year ago
  • Merge pull request #29 from NAYZO/upgrade
    By web-flow, 2 years ago
  • Add compatibility for symfony V4
    By NAYZO, 2 years ago
  • Remove non supported php version for tests
    By NAYZO, 2 years ago
  • update readme
    By web-flow, 2 years ago
  • Add ParamEncryptor annotation service
    By NAYZO, 2 years ago
  • Merge pull request #24 from NAYZO/openssl
    By web-flow, 3 years ago
  • Add OpenSSL extension
    By NAYZO, 3 years ago
  • Merge pull request #21 from NAYZO/update-fix
    By web-flow, 3 years ago
  • Update Compser.json + README.md
    By NAYZO, 3 years ago
  • Merge pull request #20 from NAYZO/update
    By web-flow, 3 years ago
  • Update README.md + some enhancements
    By NAYZO, 3 years ago
  • Merge pull request #18 from NAYZO/default-value
    By web-flow, 4 years ago
  • Removing default value feature
    By NAYZO, 4 years ago
  • update composer.json
    By NAYZO, 4 years ago
  • update README.md
    By NAYZO, 4 years ago